Keeping track of access control changes is hard — unless your CI does it for you.
This guide shows how to:
- Generate a Role × Field matrix in HTML
- Detect diffs between
devandprodRBAC - Auto-post a visual report as a comment on the related GitHub Pull Request
No more guessing who can access what — reviewers get it inline and real-time.
1. Output Format: HTML Report
Use your rbac-matrix.js or similar script to generate:
node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html
Example table (simplified):
<table>
<thead><tr><th>Role</th><th>Table</th><th>Field</th><th>Diff</th></tr></thead>
<tbody>
<tr><td>user</td><td>invoices</td><td>amount</td><td style="color: red;">SELECT: Removed</td></tr>
<tr><td>admin</td><td>logs</td><td>ip_address</td><td style="color: green;">INSERT: Added</td></tr>
</tbody>
</table>
Wrap this with:
<details><summary>RBAC Drift Report</summary>
...table here...
</details>
2. GitHub Actions Workflow
Step 1: Prepare workflow file .github/workflows/rbac-report.yml
name: RBAC Diff and PR Comment
on:
pull_request:
paths:
- 'metadata/**'
jobs:
rbac-diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install Deps
run: npm install
- name: Generate RBAC Diff Report
run: |
node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html
- name: Post Comment
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
issue-number: ${{ github.event.pull_request.number }}
body-path: ./rbac-diff.html
edit-mode: replace
💡 Tip:
edit-mode: replaceensures one comment is reused, not spammed on every run.
3. Optional: Format HTML as Markdown for Better PR UX
Instead of full HTML table, convert to GitHub-flavored Markdown table in diff-rbac.js:
| Role | Table | Field | Diff |
|------|-------|--------|------|
| user | invoices | amount | ~~SELECT~~ ❌ |
| admin | logs | ip_address | ✅ INSERT |
Then use body-path: rbac-diff.md
4. Result in PR
When a contributor changes Hasura metadata in a PR:
✅ RBAC diff is generated
✅ Visual diff table is posted as PR comment
✅ Reviewers can approve/reject RBAC changes inline
Final Thoughts
RBAC is infrastructure. Treat it like code.
When security drifts silently, CI must speak loudly.
With RBAC visual bots in place, your team never misses a permission gap again.
Next:
- Slack alerts on critical diffs
- Diff severity heatmaps
- RBAC policy-as-code enforcement gate
Comment the matrix. Review the diff. Secure the graph.
Top comments (0)